npm - @de-otio/chaoskb-server - Versions diffs - 0.2.0 - Mend

@de-otio/chaoskb-server 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/dist/lib/admin-handler/index.d.ts +22 -0
package/dist/lib/admin-handler/index.d.ts.map +1 -0
package/dist/lib/admin-handler/index.js +92 -0
package/dist/lib/admin-handler/index.js.map +1 -0
package/dist/lib/admin-handler/index.ts +123 -0
package/dist/lib/admin-handler/routes/metrics.d.ts +11 -0
package/dist/lib/admin-handler/routes/metrics.d.ts.map +1 -0
package/dist/lib/admin-handler/routes/metrics.js +200 -0
package/dist/lib/admin-handler/routes/metrics.js.map +1 -0
package/dist/lib/admin-handler/routes/metrics.ts +234 -0
package/dist/lib/admin-handler/routes/overview.d.ts +9 -0
package/dist/lib/admin-handler/routes/overview.d.ts.map +1 -0
package/dist/lib/admin-handler/routes/overview.js +110 -0
package/dist/lib/admin-handler/routes/overview.js.map +1 -0
package/dist/lib/admin-handler/routes/overview.ts +133 -0
package/dist/lib/admin-handler/routes/tenants.d.ts +10 -0
package/dist/lib/admin-handler/routes/tenants.d.ts.map +1 -0
package/dist/lib/admin-handler/routes/tenants.js +108 -0
package/dist/lib/admin-handler/routes/tenants.js.map +1 -0
package/dist/lib/admin-handler/routes/tenants.ts +134 -0
package/dist/lib/chaoskb-stack.d.ts +22 -0
package/dist/lib/chaoskb-stack.d.ts.map +1 -0
package/dist/lib/chaoskb-stack.js +60 -0
package/dist/lib/chaoskb-stack.js.map +1 -0
package/dist/lib/constructs/admin-api.d.ts +16 -0
package/dist/lib/constructs/admin-api.d.ts.map +1 -0
package/dist/lib/constructs/admin-api.js +93 -0
package/dist/lib/constructs/admin-api.js.map +1 -0
package/dist/lib/constructs/admin-dashboard.d.ts +18 -0
package/dist/lib/constructs/admin-dashboard.d.ts.map +1 -0
package/dist/lib/constructs/admin-dashboard.js +172 -0
package/dist/lib/constructs/admin-dashboard.js.map +1 -0
package/dist/lib/constructs/api.d.ts +17 -0
package/dist/lib/constructs/api.d.ts.map +1 -0
package/dist/lib/constructs/api.js +81 -0
package/dist/lib/constructs/api.js.map +1 -0
package/dist/lib/constructs/auth.d.ts +11 -0
package/dist/lib/constructs/auth.d.ts.map +1 -0
package/dist/lib/constructs/auth.js +18 -0
package/dist/lib/constructs/auth.js.map +1 -0
package/dist/lib/constructs/blob-store.d.ts +10 -0
package/dist/lib/constructs/blob-store.d.ts.map +1 -0
package/dist/lib/constructs/blob-store.js +31 -0
package/dist/lib/constructs/blob-store.js.map +1 -0
package/dist/lib/deploy-cli.d.ts +3 -0
package/dist/lib/deploy-cli.d.ts.map +1 -0
package/dist/lib/deploy-cli.js +49 -0
package/dist/lib/deploy-cli.js.map +1 -0
package/dist/lib/handler/index.d.ts +23 -0
package/dist/lib/handler/index.d.ts.map +1 -0
package/dist/lib/handler/index.js +276 -0
package/dist/lib/handler/index.js.map +1 -0
package/dist/lib/handler/index.ts +372 -0
package/dist/lib/handler/logger.d.ts +16 -0
package/dist/lib/handler/logger.d.ts.map +1 -0
package/dist/lib/handler/logger.js +26 -0
package/dist/lib/handler/logger.js.map +1 -0
package/dist/lib/handler/logger.ts +36 -0
package/dist/lib/handler/middleware/input-validation.d.ts +6 -0
package/dist/lib/handler/middleware/input-validation.d.ts.map +1 -0
package/dist/lib/handler/middleware/input-validation.js +36 -0
package/dist/lib/handler/middleware/input-validation.js.map +1 -0
package/dist/lib/handler/middleware/input-validation.ts +44 -0
package/dist/lib/handler/middleware/rate-limit.d.ts +14 -0
package/dist/lib/handler/middleware/rate-limit.d.ts.map +1 -0
package/dist/lib/handler/middleware/rate-limit.js +94 -0
package/dist/lib/handler/middleware/rate-limit.js.map +1 -0
package/dist/lib/handler/middleware/rate-limit.ts +121 -0
package/dist/lib/handler/middleware/ssh-auth.d.ts +48 -0
package/dist/lib/handler/middleware/ssh-auth.d.ts.map +1 -0
package/dist/lib/handler/middleware/ssh-auth.js +256 -0
package/dist/lib/handler/middleware/ssh-auth.js.map +1 -0
package/dist/lib/handler/middleware/ssh-auth.ts +300 -0
package/dist/lib/handler/routes/audit.d.ts +24 -0
package/dist/lib/handler/routes/audit.d.ts.map +1 -0
package/dist/lib/handler/routes/audit.js +94 -0
package/dist/lib/handler/routes/audit.js.map +1 -0
package/dist/lib/handler/routes/audit.ts +101 -0
package/dist/lib/handler/routes/blobs.d.ts +13 -0
package/dist/lib/handler/routes/blobs.d.ts.map +1 -0
package/dist/lib/handler/routes/blobs.js +298 -0
package/dist/lib/handler/routes/blobs.js.map +1 -0
package/dist/lib/handler/routes/blobs.ts +348 -0
package/dist/lib/handler/routes/devices.d.ts +48 -0
package/dist/lib/handler/routes/devices.d.ts.map +1 -0
package/dist/lib/handler/routes/devices.js +394 -0
package/dist/lib/handler/routes/devices.js.map +1 -0
package/dist/lib/handler/routes/devices.ts +458 -0
package/dist/lib/handler/routes/export.d.ts +9 -0
package/dist/lib/handler/routes/export.d.ts.map +1 -0
package/dist/lib/handler/routes/export.js +40 -0
package/dist/lib/handler/routes/export.js.map +1 -0
package/dist/lib/handler/routes/export.ts +55 -0
package/dist/lib/handler/routes/github.d.ts +31 -0
package/dist/lib/handler/routes/github.d.ts.map +1 -0
package/dist/lib/handler/routes/github.js +118 -0
package/dist/lib/handler/routes/github.js.map +1 -0
package/dist/lib/handler/routes/github.ts +162 -0
package/dist/lib/handler/routes/health.d.ts +6 -0
package/dist/lib/handler/routes/health.d.ts.map +1 -0
package/dist/lib/handler/routes/health.js +14 -0
package/dist/lib/handler/routes/health.js.map +1 -0
package/dist/lib/handler/routes/health.ts +10 -0
package/dist/lib/handler/routes/invites.d.ts +24 -0
package/dist/lib/handler/routes/invites.d.ts.map +1 -0
package/dist/lib/handler/routes/invites.js +445 -0
package/dist/lib/handler/routes/invites.js.map +1 -0
package/dist/lib/handler/routes/invites.ts +527 -0
package/dist/lib/handler/routes/notifications.d.ts +39 -0
package/dist/lib/handler/routes/notifications.d.ts.map +1 -0
package/dist/lib/handler/routes/notifications.js +150 -0
package/dist/lib/handler/routes/notifications.js.map +1 -0
package/dist/lib/handler/routes/notifications.ts +163 -0
package/dist/lib/handler/routes/projects.d.ts +24 -0
package/dist/lib/handler/routes/projects.d.ts.map +1 -0
package/dist/lib/handler/routes/projects.js +47 -0
package/dist/lib/handler/routes/projects.js.map +1 -0
package/dist/lib/handler/routes/projects.ts +69 -0
package/dist/lib/handler/routes/register.d.ts +19 -0
package/dist/lib/handler/routes/register.d.ts.map +1 -0
package/dist/lib/handler/routes/register.js +327 -0
package/dist/lib/handler/routes/register.js.map +1 -0
package/dist/lib/handler/routes/register.ts +363 -0
package/dist/lib/handler/routes/restore.d.ts +9 -0
package/dist/lib/handler/routes/restore.d.ts.map +1 -0
package/dist/lib/handler/routes/restore.js +52 -0
package/dist/lib/handler/routes/restore.js.map +1 -0
package/dist/lib/handler/routes/restore.ts +73 -0
package/dist/lib/handler/routes/revocation.d.ts +13 -0
package/dist/lib/handler/routes/revocation.d.ts.map +1 -0
package/dist/lib/handler/routes/revocation.js +63 -0
package/dist/lib/handler/routes/revocation.js.map +1 -0
package/dist/lib/handler/routes/revocation.ts +87 -0
package/dist/lib/handler/routes/rotation.d.ts +24 -0
package/dist/lib/handler/routes/rotation.d.ts.map +1 -0
package/dist/lib/handler/routes/rotation.js +291 -0
package/dist/lib/handler/routes/rotation.js.map +1 -0
package/dist/lib/handler/routes/rotation.ts +336 -0
package/dist/lib/handler/routes/tenants.d.ts +11 -0
package/dist/lib/handler/routes/tenants.d.ts.map +1 -0
package/dist/lib/handler/routes/tenants.js +181 -0
package/dist/lib/handler/routes/tenants.js.map +1 -0
package/dist/lib/handler/routes/tenants.ts +198 -0
package/dist/lib/handler/routes/wrapped-key.d.ts +21 -0
package/dist/lib/handler/routes/wrapped-key.d.ts.map +1 -0
package/dist/lib/handler/routes/wrapped-key.js +76 -0
package/dist/lib/handler/routes/wrapped-key.js.map +1 -0
package/dist/lib/handler/routes/wrapped-key.ts +108 -0
package/dist/lib/index.d.ts +7 -0
package/dist/lib/index.d.ts.map +1 -0
package/dist/lib/index.js +16 -0
package/dist/lib/index.js.map +1 -0
package/dist/vitest.config.d.ts +3 -0
package/dist/vitest.config.d.ts.map +1 -0
package/dist/vitest.config.js +18 -0
package/dist/vitest.config.js.map +1 -0
package/package.json +61 -0

package/dist/lib/handler/routes/invites.ts ADDED Viewed

@@ -0,0 +1,527 @@
+import * as crypto from 'crypto';
+import {
+  DynamoDBDocumentClient,
+  PutCommand,
+  GetCommand,
+  UpdateCommand,
+  QueryCommand,
+} from '@aws-sdk/lib-dynamodb';
+import { logger } from '../logger.js';
+import { logAuditEvent } from './audit.js';
+interface HandlerResponse {
+  statusCode: number;
+  body: string;
+  headers: Record<string, string>;
+}
+const JSON_HEADERS = { 'Content-Type': 'application/json' };
+const FOURTEEN_DAYS_MS = 14 * 24 * 60 * 60 * 1000;
+const FOURTEEN_DAYS_SECONDS = 14 * 24 * 60 * 60;
+const TWENTY_FOUR_HOURS_SECONDS = 24 * 60 * 60;
+const HOUR_SECONDS = 3600;
+const DAY_SECONDS = 86400;
+const HOURLY_INVITE_LIMIT = 10;
+const DAILY_INVITE_LIMIT = 50;
+const MAX_PENDING_INVITES = 20;
+/**
+ * Check sender rate limits for invite creation.
+ * Uses DynamoDB counters with hourly and daily windows.
+ */
+async function checkInviteRateLimit(
+  senderFingerprint: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<{ allowed: boolean; message?: string }> {
+  const now = Math.floor(Date.now() / 1000);
+  const hourWindow = Math.floor(now / HOUR_SECONDS);
+  const dayWindow = Math.floor(now / DAY_SECONDS);
+  // Check hourly limit
+  const hourResult = await ddb.send(
+    new UpdateCommand({
+      TableName: tableName,
+      Key: {
+        PK: `RATE#INVITE#${senderFingerprint}`,
+        SK: `HOUR#${hourWindow}`,
+      },
+      UpdateExpression: 'SET #count = if_not_exists(#count, :zero) + :one, #ttl = :ttl',
+      ExpressionAttributeNames: {
+        '#count': 'count',
+        '#ttl': 'ttl',
+      },
+      ExpressionAttributeValues: {
+        ':zero': 0,
+        ':one': 1,
+        ':ttl': hourWindow * HOUR_SECONDS + HOUR_SECONDS + 120,
+      },
+      ReturnValues: 'UPDATED_NEW',
+    }),
+  );
+  const hourlyCount = (hourResult.Attributes?.['count'] as number) ?? 1;
+  if (hourlyCount > HOURLY_INVITE_LIMIT) {
+    return { allowed: false, message: 'Hourly invite limit exceeded (max 10/hour)' };
+  }
+  // Check daily limit
+  const dayResult = await ddb.send(
+    new UpdateCommand({
+      TableName: tableName,
+      Key: {
+        PK: `RATE#INVITE#${senderFingerprint}`,
+        SK: `DAY#${dayWindow}`,
+      },
+      UpdateExpression: 'SET #count = if_not_exists(#count, :zero) + :one, #ttl = :ttl',
+      ExpressionAttributeNames: {
+        '#count': 'count',
+        '#ttl': 'ttl',
+      },
+      ExpressionAttributeValues: {
+        ':zero': 0,
+        ':one': 1,
+        ':ttl': dayWindow * DAY_SECONDS + DAY_SECONDS + 120,
+      },
+      ReturnValues: 'UPDATED_NEW',
+    }),
+  );
+  const dailyCount = (dayResult.Attributes?.['count'] as number) ?? 1;
+  if (dailyCount > DAILY_INVITE_LIMIT) {
+    return { allowed: false, message: 'Daily invite limit exceeded (max 50/day)' };
+  }
+  return { allowed: true };
+}
+/**
+ * Check that the recipient doesn't have too many pending invites.
+ */
+async function checkRecipientPendingCount(
+  recipientFingerprint: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<boolean> {
+  const result = await ddb.send(
+    new QueryCommand({
+      TableName: tableName,
+      IndexName: 'GSI-RecipientFingerprint',
+      KeyConditionExpression: 'recipientFingerprint = :fp',
+      FilterExpression: '#status = :pending',
+      ExpressionAttributeNames: {
+        '#status': 'status',
+      },
+      ExpressionAttributeValues: {
+        ':fp': recipientFingerprint,
+        ':pending': 'pending',
+      },
+      Select: 'COUNT',
+    }),
+  );
+  return (result.Count ?? 0) < MAX_PENDING_INVITES;
+}
+/**
+ * POST /v1/invites - Create an invite
+ */
+export async function handleCreateInvite(
+  tenantId: string,
+  fingerprint: string,
+  body: string | null | undefined,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  if (!body) {
+    return {
+      statusCode: 400,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'invalid_request', message: 'Request body is required' }),
+    };
+  }
+  let parsed: {
+    recipientFingerprint: string;
+    projectTenantId: string;
+    encryptedPayload: string;
+    role: string;
+  };
+  try {
+    parsed = JSON.parse(body);
+  } catch {
+    return {
+      statusCode: 400,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'invalid_request', message: 'Invalid JSON body' }),
+    };
+  }
+  if (
+    !parsed.recipientFingerprint ||
+    !parsed.projectTenantId ||
+    !parsed.encryptedPayload ||
+    !parsed.role
+  ) {
+    return {
+      statusCode: 400,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({
+        error: 'invalid_request',
+        message: 'recipientFingerprint, projectTenantId, encryptedPayload, and role are required',
+      }),
+    };
+  }
+  // Validate encryptedPayload is valid base64
+  if (!/^[A-Za-z0-9+/]+=*$/.test(parsed.encryptedPayload)) {
+    return {
+      statusCode: 400,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'invalid_request', message: 'encryptedPayload must be valid base64' }),
+    };
+  }
+  // Check sender rate limits
+  const rateCheck = await checkInviteRateLimit(fingerprint, ddb, tableName);
+  if (!rateCheck.allowed) {
+    return {
+      statusCode: 429,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'rate_limited', message: rateCheck.message }),
+    };
+  }
+  // Check recipient pending count
+  const recipientOk = await checkRecipientPendingCount(
+    parsed.recipientFingerprint,
+    ddb,
+    tableName,
+  );
+  if (!recipientOk) {
+    return {
+      statusCode: 409,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({
+        error: 'recipient_limit',
+        message: 'Recipient has too many pending invites',
+      }),
+    };
+  }
+  const inviteId = crypto.randomUUID();
+  const now = new Date();
+  const createdAt = now.toISOString();
+  const expiresAt = new Date(now.getTime() + FOURTEEN_DAYS_MS).toISOString();
+  const ttl = Math.floor(now.getTime() / 1000) + FOURTEEN_DAYS_SECONDS;
+  await ddb.send(
+    new PutCommand({
+      TableName: tableName,
+      Item: {
+        PK: `INVITE#${inviteId}`,
+        SK: 'META',
+        inviteId,
+        status: 'pending',
+        senderFingerprint: fingerprint,
+        recipientFingerprint: parsed.recipientFingerprint,
+        projectTenantId: parsed.projectTenantId,
+        encryptedPayload: parsed.encryptedPayload,
+        role: parsed.role,
+        createdAt,
+        expiresAt,
+        ttl,
+      },
+    }),
+  );
+  await logAuditEvent(ddb, tableName, tenantId, {
+    eventType: 'invite-created' as any,
+    fingerprint,
+    metadata: {
+      inviteId,
+      recipientFingerprint: parsed.recipientFingerprint,
+      projectTenantId: parsed.projectTenantId,
+      role: parsed.role,
+    },
+  });
+  logger.info('Invite created', { tenantId, inviteId });
+  return {
+    statusCode: 201,
+    headers: JSON_HEADERS,
+    body: JSON.stringify({ inviteId, status: 'pending' }),
+  };
+}
+/**
+ * GET /v1/invites - List pending invites for the authenticated user
+ */
+export async function handleListInvites(
+  tenantId: string,
+  fingerprint: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  const now = new Date().toISOString();
+  const result = await ddb.send(
+    new QueryCommand({
+      TableName: tableName,
+      IndexName: 'GSI-RecipientFingerprint',
+      KeyConditionExpression: 'recipientFingerprint = :fp',
+      FilterExpression: '#status = :pending AND expiresAt > :now',
+      ExpressionAttributeNames: {
+        '#status': 'status',
+      },
+      ExpressionAttributeValues: {
+        ':fp': fingerprint,
+        ':pending': 'pending',
+        ':now': now,
+      },
+    }),
+  );
+  const invites = (result.Items ?? []).map((item) => ({
+    inviteId: item['inviteId'],
+    senderFingerprint: item['senderFingerprint'],
+    projectTenantId: item['projectTenantId'],
+    role: item['role'],
+    createdAt: item['createdAt'],
+  }));
+  return {
+    statusCode: 200,
+    headers: JSON_HEADERS,
+    body: JSON.stringify({ invites }),
+  };
+}
+/**
+ * POST /v1/invites/{id}/accept - Accept an invite
+ */
+export async function handleAcceptInvite(
+  tenantId: string,
+  fingerprint: string,
+  inviteId: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  const result = await ddb.send(
+    new GetCommand({
+      TableName: tableName,
+      Key: {
+        PK: `INVITE#${inviteId}`,
+        SK: 'META',
+      },
+    }),
+  );
+  if (!result.Item) {
+    return {
+      statusCode: 404,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'not_found', message: 'Invite not found' }),
+    };
+  }
+  const invite = result.Item;
+  // Check recipient matches
+  if (invite['recipientFingerprint'] !== fingerprint) {
+    return {
+      statusCode: 403,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'forbidden', message: 'Not authorized to accept this invite' }),
+    };
+  }
+  // Idempotent: already accepted
+  if (invite['status'] === 'accepted') {
+    return {
+      statusCode: 200,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({
+        status: 'already_accepted',
+        encryptedPayload: invite['encryptedPayload'],
+        projectTenantId: invite['projectTenantId'],
+      }),
+    };
+  }
+  // Check status is pending
+  if (invite['status'] !== 'pending') {
+    return {
+      statusCode: 409,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'conflict', message: `Invite is ${invite['status']}` }),
+    };
+  }
+  // Check not expired
+  if (new Date(invite['expiresAt'] as string) < new Date()) {
+    return {
+      statusCode: 410,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'expired', message: 'Invite has expired' }),
+    };
+  }
+  const now = new Date();
+  const acceptedAt = now.toISOString();
+  // Schedule cleanup: TTL 24 hours after acceptance
+  const cleanupTtl = Math.floor(now.getTime() / 1000) + TWENTY_FOUR_HOURS_SECONDS;
+  await ddb.send(
+    new UpdateCommand({
+      TableName: tableName,
+      Key: {
+        PK: `INVITE#${inviteId}`,
+        SK: 'META',
+      },
+      UpdateExpression: 'SET #status = :accepted, acceptedAt = :acceptedAt, #ttl = :ttl',
+      ExpressionAttributeNames: {
+        '#status': 'status',
+        '#ttl': 'ttl',
+      },
+      ExpressionAttributeValues: {
+        ':accepted': 'accepted',
+        ':acceptedAt': acceptedAt,
+        ':ttl': cleanupTtl,
+      },
+    }),
+  );
+  await logAuditEvent(ddb, tableName, tenantId, {
+    eventType: 'invite-accepted' as any,
+    fingerprint,
+    metadata: {
+      inviteId,
+      projectTenantId: invite['projectTenantId'],
+    },
+  });
+  logger.info('Invite accepted', { tenantId, inviteId });
+  return {
+    statusCode: 200,
+    headers: JSON_HEADERS,
+    body: JSON.stringify({
+      status: 'accepted',
+      encryptedPayload: invite['encryptedPayload'],
+      projectTenantId: invite['projectTenantId'],
+    }),
+  };
+}
+/**
+ * POST /v1/invites/{id}/decline - Decline an invite
+ */
+export async function handleDeclineInvite(
+  tenantId: string,
+  fingerprint: string,
+  inviteId: string,
+  body: string | null | undefined,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  const result = await ddb.send(
+    new GetCommand({
+      TableName: tableName,
+      Key: {
+        PK: `INVITE#${inviteId}`,
+        SK: 'META',
+      },
+    }),
+  );
+  if (!result.Item) {
+    return {
+      statusCode: 404,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'not_found', message: 'Invite not found' }),
+    };
+  }
+  const invite = result.Item;
+  // Check recipient matches
+  if (invite['recipientFingerprint'] !== fingerprint) {
+    return {
+      statusCode: 403,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'forbidden', message: 'Not authorized to decline this invite' }),
+    };
+  }
+  // Check status is pending
+  if (invite['status'] !== 'pending') {
+    return {
+      statusCode: 409,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'conflict', message: `Invite is already ${invite['status']}` }),
+    };
+  }
+  await ddb.send(
+    new UpdateCommand({
+      TableName: tableName,
+      Key: {
+        PK: `INVITE#${inviteId}`,
+        SK: 'META',
+      },
+      UpdateExpression: 'SET #status = :declined, declinedAt = :declinedAt',
+      ExpressionAttributeNames: {
+        '#status': 'status',
+      },
+      ExpressionAttributeValues: {
+        ':declined': 'declined',
+        ':declinedAt': new Date().toISOString(),
+      },
+    }),
+  );
+  // Handle optional block
+  let parsed: { block?: boolean; senderFingerprint?: string } = {};
+  if (body) {
+    try {
+      parsed = JSON.parse(body);
+    } catch {
+      // Ignore invalid JSON in decline body — blocking is optional
+    }
+  }
+  if (parsed.block && parsed.senderFingerprint) {
+    await ddb.send(
+      new PutCommand({
+        TableName: tableName,
+        Item: {
+          PK: `TENANT#${tenantId}`,
+          SK: `BLOCK#${parsed.senderFingerprint}`,
+          blockedAt: new Date().toISOString(),
+        },
+      }),
+    );
+    logger.info('Sender blocked', { tenantId, senderFingerprint: parsed.senderFingerprint });
+  }
+  await logAuditEvent(ddb, tableName, tenantId, {
+    eventType: 'invite-declined' as any,
+    fingerprint,
+    metadata: {
+      inviteId,
+      blocked: parsed.block ?? false,
+    },
+  });
+  logger.info('Invite declined', { tenantId, inviteId });
+  return {
+    statusCode: 200,
+    headers: JSON_HEADERS,
+    body: JSON.stringify({ status: 'declined' }),
+  };
+}

package/dist/lib/handler/routes/notifications.d.ts ADDED Viewed

@@ -0,0 +1,39 @@
+import { DynamoDBDocumentClient } from '@aws-sdk/lib-dynamodb';
+interface HandlerResponse {
+    statusCode: number;
+    body: string;
+    headers: Record<string, string>;
+}
+export type NotificationType = 'device_linked' | 'device_revoked' | 'key_rotated';
+export interface DeviceInfo {
+    hostname?: string;
+    platform?: string;
+    arch?: string;
+    osVersion?: string;
+    deviceModel?: string | null;
+    location?: string | null;
+}
+/**
+ * Create a notification for a tenant.
+ *
+ * DynamoDB: PK: TENANT#{tenantId}, SK: NOTIFICATION#{timestamp}#{suffix}
+ */
+export declare function createNotification(tenantId: string, type: NotificationType, deviceInfo: DeviceInfo, ddb: DynamoDBDocumentClient, tableName: string): Promise<void>;
+/**
+ * GET /v1/notifications — return unacknowledged notifications for tenant.
+ */
+export declare function handleGetNotifications(tenantId: string, ddb: DynamoDBDocumentClient, tableName: string): Promise<HandlerResponse>;
+/**
+ * POST /v1/notifications/{id}/dismiss — mark notification as acknowledged.
+ */
+export declare function handleDismissNotification(tenantId: string, notificationId: string, ddb: DynamoDBDocumentClient, tableName: string): Promise<HandlerResponse>;
+/**
+ * G3: Resolve IP address to approximate location.
+ *
+ * For Lambda, use a lightweight approach: extract country/region from
+ * CloudFront headers if available, otherwise return null.
+ * A full MaxMind integration can be added later.
+ */
+export declare function resolveIpLocation(headers: Record<string, string>): string | null;
+export {};
+//# sourceMappingURL=notifications.d.ts.map

package/dist/lib/handler/routes/notifications.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"notifications.d.ts","sourceRoot":"","sources":["../../../../lib/handler/routes/notifications.ts"],"names":[],"mappings":"AACA,OAAO,EACL,sBAAsB,EAIvB,MAAM,uBAAuB,CAAC;AAG/B,UAAU,eAAe;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACjC;AAKD,MAAM,MAAM,gBAAgB,GAAG,eAAe,GAAG,gBAAgB,GAAG,aAAa,CAAC;AAElF,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED;;;;GAIG;AACH,wBAAsB,kBAAkB,CACtC,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,gBAAgB,EACtB,UAAU,EAAE,UAAU,EACtB,GAAG,EAAE,sBAAsB,EAC3B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,IAAI,CAAC,CAqBf;AAED;;GAEG;AACH,wBAAsB,sBAAsB,CAC1C,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,sBAAsB,EAC3B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,eAAe,CAAC,CA4B1B;AAED;;GAEG;AACH,wBAAsB,yBAAyB,CAC7C,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,MAAM,EACtB,GAAG,EAAE,sBAAsB,EAC3B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,eAAe,CAAC,CAgC1B;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,GAAG,IAAI,CAahF"}